1 @node Handshake protocol
2 @section Handshake protocol
4 @verbatiminclude handshake.utxt
6 Each handshake message ends with so called @code{IDtag}: it is an XTEA
7 encrypted first 64 bits of each message with client's @ref{Identity} as
8 a key. It is used to transmit identity and to mark packet as handshake
9 message. Server can determine used identity by trying all possible known
10 to him keys. It consumes resources, but XTEA is rather fast algorithm
11 and handshake messages checking is seldom enough event.
13 @strong{Preparation stage}:
17 Client knows only his identity and passphrase written somewhere in the
18 human. Server knows his identity and
19 @ref{Verifier structure, verifier}: @code{DSAPub}.
21 Client computes verifier which produces @code{DSAPriv} and
22 @code{DSAPub}. @code{H()} is @emph{HSalsa20} hash function.
24 Client generates DH keypair: @code{CDHPub} and @code{CDHPriv}.
25 Also it generates random 64-bit @code{R} that is used as a nonce for
29 @strong{Interaction stage}:
33 @verb{|R + enc(H(DSAPub), R, CDHPub) + IDtag -> Server|} [48 bytes]
37 @item Server remembers client address.
38 @item Decrypts @code{CDHPub}.
39 @item Generates DH keypair: @code{SDHPriv}/@code{SDHPub}.
40 @item Computes common shared key @code{K = H(DH(SDHPriv, CDHPub))}.
41 @item Generates 64-bit random number @code{RS}.
42 @item Generates 256-bit pre-master secret @code{SS}.
46 @verb{|enc(H(DSAPub), R+1, SDHPub) + enc(K, R, RS + SS) + IDtag -> Client|} [80 bytes]
50 @item Client decrypts @code{SDHPub}.
51 @item Computes @code{K}.
52 @item Decrypts @code{RS} and @code{SS}.
53 @item Remembers @code{SS}.
54 @item Generates 64-bit random number @code{RC}.
55 @item Generates 256-bit pre-master secret @code{SC}.
56 @item Signs with @code{DSAPriv} key @code{K}.
60 @verb{|enc(K, R+1, RS + RC + SC + Sign(DSAPriv, K)) + IDtag -> Server|} [120 bytes]
64 @item Server decrypts @code{RS}, @code{RC}, @code{SC},
65 @code{Sign(DSAPriv, K)}.
67 @item Compares @code{RS} with it's own one sent before. Server
68 decrypts @code{RS}, @code{RC}, @code{SC} with key @code{K}, compares
69 @code{RS} with it's own one sent before.
71 @item Verifies @code{K} signature with verifier @code{DSAPub}.
73 @item Computes final session encryption key:
74 @code{MasterKey=SS XOR SC}.
78 @verb{|ENC(K, R+2, RC) + IDtag -> Client|} [16 bytes]
82 @item Client decrypts @code{RC}
83 @item Compares with it's own one sent before.
84 @item Computes final session encryption key as server did.
89 @code{MasterKey} is high entropy 256-bit key. @code{K} DH-derived one
90 has 128-bit security margin and that is why are not in use except in
91 handshake process. @code{R*} are required for handshake randomization
92 and two-way authentication.